Manage asset inventory retention in Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence automatically stores asset records in its inventories for an indefinite period of time. Over time, your asset inventories can grow significantly in size. You might want to remove assets that haven't been active in a long time or assets that are no longer accurate. For example, imagine Splunk Asset and Risk Intelligence detects an IP address on a host. After over a month with no activity, the IP address still lacks any updates. As a result, some of the field values for this asset might not be accurate anymore, so you might want to remove the values assigned to particular fields within the inventory.

To manage the size of your asset inventories, you can modify the retention period for asset records, and you can also modify the retention period for particular field values.

Modify the retention period for asset inventory records

To modify the retention period for asset inventory records, complete the following steps:

Activating a retention period can result in the permanent deletion of data.

1. In Splunk Asset and Risk Intelligence, select Admin then Data sources and then Inventory aging management.
2. Select the settings icon ( ) for the inventory you want to modify.
3. Enter a retention period in seconds. The retention period is based on the last detected date in Splunk Asset and Risk Intelligence. If an asset hasn't been detected in the period of time you specify, Splunk Asset and Risk Intelligence removes it.
4. Select Update.
5. Select Admin and then Configuration settings.
6. In the Inventory record retention searches section, select the toggle switch for the inventory that you modified to activate that retention period.

After you modify the retention period and activate it, you can find the updated data retention time for the inventory on the Inventory aging management page. The status for the inventory displays Active.

Modify the retention period for asset inventory fields

You can create rules to modify the retention period for particular fields within an inventory. To add an inventory rule, complete the following steps:

1. In Splunk Asset and Risk Intelligence, select Admin then Data sources and then Inventory aging management.
2. Select Add inventory rule.
3. Using the drop-down list, select an inventory.
4. Select the field name you want to modify the retention period for.
5. Select the action you want to perform when the asset reaches the retention period.
   • Select Clear field to delete the field value after the asset reaches the retention period.
   • Select Reduce priority to allow other data sources to overwrite the field value after the asset reaches the retention period.
6. Enter a retention period in seconds.
7. Select Add.
8. Select Admin and then Configuration settings.
9. In the Inventory field retention searches section, select the toggle switch for the inventory that you modified to activate that retention period.

   Activating a retention period can result in the permanent deletion of data.

After you add an inventory rule, you can find it listed on the Inventory aging management page in the Inventory field retention rules table. You can edit the retention period again by selecting the settings icon ( ) for that rule, and you can remove the rule entirely by selecting the delete icon ( ).